On 11/01/2010 04:45 PM, Jesús M. Navarro wrote:
Hi, Ron: On Monday 01 November 2010 18:49:01 Ron Johnson wrote: [...]If someone learns my password on day 2, they have full access to my account for 74 days, or I must beg for SysAdmin help? "Minimum number of days" isn't a very bright idea.It is, for a low minimum number. The rationale is to avoid the user reusing passwords: Ok, so my password is 12345678 and I must change it now? Let's do it: 87654321; but immediately I change back again.
The way to do it is to have a record in your password db of the hashes of each user's last N passwords.
So if the minimum change time is about a week, it takes about the same effort to learn the new password than to change it back.
You're Doing It Wrong if you use "minimum days" to avoid password reuse. -- Seek truth from facts.